Splunk Enterprise Release Notes

Splunk Enterprise 10.0 Release Notes

Splunk Enterprise 10.0 was released on July 28, 2025.
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 10.0

• Edge Processor service: The Edge Processor solution is a service hosted within your Splunk Enterprise deployment designed to help you manage data ingestion within your network boundaries. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to external environments.
• Updated support for Federal Information Processing Standards (FIPS): Splunk Enterprise now has updated support for the FIPS Publication #140-2 module and new support for Publication #140-3 module. These modules let you run Splunk Enterprise in FIPS mode to comply with these guidelines. The updated FIPS 140-2 module that comes with Splunk Enterprise 10.0 is valid until March of 2026. This gives you time to move over to the new FIPS 140-3 module after you upgrade both Splunk Enterprise components and your forwarding tier infrastructure to version 10.
• Support for encryption with mutual transport layer security (mTLS): Splunk Enterprise now supports the configuration of mTLS for encryption of network connections between Splunk Enterprise instances and services.
• OpenSSL version 3.0 support: Splunk Enterprise version 10.0 brings support for OpenSSL version 3.0, which replaces the deprecated OpenSSL version 1.0.2. Additionally, the software is bound to version 3.9 of the Python runtime environment for secure connections to services and APIs.
• Fine-grained access to search knowledge objects: Splunk admins now have improved options for assigning permissions to roles for access to knowledge objects. Three new capabilities grant admins increased flexibility in assigning access to the objects and replace the admin_all_objects capability, which was the only option available previously.
• Sidecars: Sidecars are processes that run alongside the splunkd process to fulfill specific functions. They support introducing new features to the Splunk platform. For example, several sidecars support enhanced data management in the on-premises environment.
• Dashboards Trusted Domains List: Admins can add and remove domains using the Dashboards Trusted Domains List page.
• Dashboards in the Audit Trail app: Using the Audit Trail app, you can quickly gain insights on security, compliance, and the operation of a Splunk platform instance. The dashboards help you monitor user activities and changes of knowledge objects in real time, based on data from the audit index, index=_audit.
• Support for the savedsearch command in standard mode federated searches: You can now use the savedsearch command to run federated searches over remote saved search datasets located on standard mode federated providers.
• Expanded SPL support for standard mode searches in Federated Search for Splunk: Support has been added for the following commands in standard mode federated searches for Federated Search for Splunk: mcollect, sendalert, sendemail.
• Email domains enhancement: A new enhancement for the Email Domains setting under Server settings in Splunk Web lets administrators specify whether to allow or deny all email domains, or use email domains in a comma-separated list.
• OAuth 2.0 support for email server authentication: Splunk Enterprise now supports OAuth 2.0 for SMTP server authentication. This release adds support for Microsoft Exchange Server.
• Splunk Enterprise Python 3.9: Python version 3.7 has been removed from Splunk Enterprise 10.0 and higher. Python 3.9 is the only interpreter available in this release.
• Dashboard Studio enhancements: See What's new in Dashboard Studio.
• Preview feature: Field filters now support the typeahead and walklex commands.
• Preview feature: Field filters are now first in the sequence of search-time operations, which has implications for downstream operations.
• Dynamic limit for scheduled searches: Splunk Enterprise 10.0 introduces the dynamic_max_searches_perc setting to automatically adjust the scheduled search concurrency limit.
• Effective configuration: This feature lets you view the actual configuration installed on your forwarders without logging into the machines or running btool.
• Bulk Data Move: Allows users to efficiently reorganize indexes and move data between them using specific search criteria. Available for Standalone deployments only.
• OpenTelemetry Collectors: View information about OTel Collectors you manage, helping monitor status of your agents in one place.
• Observability metrics in Dashboard Studio: Create charts based on observability metrics or import existing Splunk Observability Cloud charts.
• Preview observability data in the Search app: See previews of Splunk Observability Cloud data related to events in the Search & Reporting application.
• View an observability service map in Dashboard Studio dashboards: Add a service map for services monitored in Splunk Observability Cloud into Dashboard Studio.
• SPL2 module permissions: Module creators are automatically given execute, read, and write permissions on that module.
• Deprecated version 1.0 endpoints for the Search API are now deactivated by default.
• Sunsetting of the Upgrade Readiness App: Support for the Upgrade Readiness App has ended and it has been removed from this version.
• Updated alerts page: The alerts page is updated for usability and accessibility.
• Favorite knowledge objects: Users can now add and remove reports from favorites.
• Agent management can upgrade universal forwarders: Upgrade universal forwarders centrally through agent management or deployment server after one-time setup.
• Ingest Actions Live Capture on search heads: Live Capture improves accuracy of event previews in Ingest Actions, available in both Splunk Cloud and Splunk Enterprise deployments.

Splunk Enterprise 9.4.3 was released on June 5, 2025. It resolves the issues described in Fixed issues.

• Splunk Enterprise versions 9.4 and higher no longer support KV store server version 4.2.
• Upgrade to KV store server version 7.0 for continued support and security, and to comply with Splunk Support Policy open_in_new. For more details, see Splunk Support Policy open_in_new. Your deployment automatically upgrades your KV store during your upgrade to Splunk Enterprise 9.4. This new server version includes security enhancements and improves the performance of your KV store. See Upgrade the KV store server version open_in_new in the Admin manual to plan your upgrade.

Splunk Enterprise 9.4 was released on December 16, 2024.
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.

Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 9.4

• Deployment server version 9.4: Deployment Server provides a centralized location and user-interface to manage, maintain, and troubleshoot all types of Splunk agents, such as the Universal Forwarder and the Heavy Forwarder. Deployment Server 9.4.0 provides the following new capabilities: Overview of the health and status of your agents, A new UI with a shorter load time and updated user experience, Accessibility compliance
• Upgrade KV store server version from 4.2 to 7.0: Splunk Enterprise versions 9.4 and higher work best with KV store server version 7.0. Your deployment automatically upgrades your KV store during your upgrade to Splunk Enterprise 9.4. This new server version includes security enhancements and improves the performance of your KV store. See Upgrade the KV store server version in the Admin manual to plan your upgrade.
• Stats V1 removal: Version 1 of the stats command has been removed and replaced with version 2 of the stats command.
• Enhancement to the foreach command: A new auto_collections mode has been added the foreach command. The auto_collections mode dynamically iterates over a JSON array or multivalue field depending on which element is present in the search. See foreach in the Search Reference.
• Federated Search for Splunk: Metric indexes now supported as a new dataset type for federated searches: With this release, Federated Search for Splunk adds a new dataset type for standard mode federated searches: metric indexes. You can now run federated searches over metric index datasets. Additional error handling has been added to ensure that you apply event generating commands to event index datasets and apply metric generating commands to metric index datasets. Note: This is a breaking change for previous federated searches of metric indexes. If you are upgrading the federated search head on your local deployment from a previous version of the Splunk platform, and you have defined federated indexes on that federated search head that map to index datasets which contain metric data, you must replace those federated indexes with new federated indexes that map to metric index datasets. This update does not require you to make any changes to the remote deployment. For more information about defining federated indexes that map to metric index datasets, see Map a federated index to a remote Splunk dataset in Federated Search. For more information about writing federated searches for metric index datasets, see Run federated searches over remote Splunk platform deployments in Federated Search.
• Federated Search for Splunk: Support for eventcount across Standard and Transparent mode: The eventcount command is now supported by Federated Search for Splunk. This support includes the option to have eventcount return event counts for indexes on remote Splunk platform deployments that are designated as federated providers. eventcount search results now include a provider column that identifies the federated providers that listed indexes belong to. For more information, see eventcount in the Search Reference.
• Federated Search for Splunk: Standard mode federated search support for the mcatalog command: The mcatalog command is now supported for standard mode federated searches. For more information, see the following topics: Run federated searches over remote Splunk platform deployments, in Federated Search. mcatalog, in the Search Reference.
• Internal Library Settings: The Internal Library Settings page is removed. Deprecated libraries and unsupported hotlinked imports are restricted, and Splunk Cloud Platform no longer offers a self-service option to use them. For more information about Internal Library Settings, see Control access to jQuery and other internal librariesopen_in_new in the jQuery Upgrade Readiness manual.
• Dashboard Studio enhancements: See What's new in Dashboard Studio.
• SPL2-based application development: This version of Splunk Enterprise supports SPL2 via API, to help admins create powerful apps to gain more control over their ecosystem while allowing developers massive flexibility for the custom apps they can build. Admins and developers can use the API or the Splunk Extension for VS Code to create their apps. Admins and developers can ship SPL2 module files that define custom functions, views, data types, and more to curate resources within their application for users. Users can leverage these resources in the Splunk search bar to create dashboards and reports, by writing single-statement SPL2 searches. See Create SPL2-based appsopen_in_new in the Splunk Developer Guide on dev.splunk.com Admins can use SPL2 views with run-as-owner permissions. This applies special permissions on modules to execute views under a more privileged context, allowing multiple roles to access sensitive data with different levels of custom data masking. See Manage SPL2-based apps in the Splunk Enterprise Admin Manual.
• Eval function enhancements for data type conversion and type testing: You can use the following new eval data type conversion functions to manipulate values in eval searches. toarray to convert a value to an array value. tobool to convert a value to a boolean value. todouble to convert a value to a double value. toint to convert a value to an integer value. tomv to convert a value to a multivalue. toobject to convert a value to the equivalent object value of the field, if any. json_entries to convert a value to an array of JSON objects with key and value fields. You can use the following new eval functions to return information about values in eval searches. isarray to test whether a value is an array value. isdouble to test whether a value is a double value. ismv to test whether a value is a multivalue. isobjectto test whether a value is an object. json_has_key_exact to test whether a JSON key is in a JSON object. For more information, see Common eval functions in the Splunk Enterprise Search Reference.
• Eliminate SHC out-of-sync issues: Search head cluster (SHC) replication has been improved to reduce out-of-sync errors. Previously, large CSV lookup files that exceeded the 5GB file size limit could block replication and cause cluster members to go out of sync, often requiring a "destructive resync" to remediate. Now if a CSV lookup exceeds the lookup file size limit, the cluster automatically quarantines the lookup on the search head on which it is generated, without blocking replication of other objects. The splunkd health report shows the number of quarantined lookups and admins can run a search to get details on these lookups for remediation. For more information, see Quarantining large CSV lookup files in search head clusters in the Knowledge Manager Manual.
• Workload management - Support for cgroups version 2: Workload management now supports Linux operating systems that use cgroups version 2. Splunk Enterprise 9.4 is enabled by default to automatically detect and switch to cgroups v2. For more information, see Configure cgroups v2 in Splunk Enterprise in Workload Management.
• Support for persistent queues for Output queues with Splunk to Splunk (S2S) protocol: Ability to leverage persistent queues on output queues to automatically fallback to disk and recover, in case of destination or network failure. Use cases are for collection purpose for remote Splunk deployment (intermittent connectivity or need to survive a long network outage) and/or cloning data to one or multiple Splunk destinations, via S2S protocol, with no data loss and minimal impact in case of destination unavailability.